- Jersey Cyber Security Centre Newsletter
- Posts
- CERT.JE - Cyber Jobs Special Edition
CERT.JE - Cyber Jobs Special Edition
Plus Cyber Security Awareness Month events, Valid Access attacks, and more
Cyber jobs, cyber events: come and join us!
We’re up and running defending Jersey. Could you join us?
Dear readers,
The last few months have been incredibly busy, standing up services and capabilities to defend Jersey. We’ve also been progressing a range of other priorities, including the proposed new cyber law, telecoms security regulations, cyber security awareness month, international accreditations… you name it, we’ve been doing it!
In the meantime, the team have been busy with our Vulnerability Advisory Service - we spot problems that could get you hacked, and tell you so you can fix them. Some take action and some don’t. The ones that don’t tend to be the ones who call us back later. So if we email or call you - please act!
Most importantly this month, we’re here to tell you about three new job vacancies we have to join the team - this will take us to our full establishment, so if you think you could work with us now is the time to take a look.
We’re also excited to be getting ready for Cyber Security Awareness Month 2023, with tickets released for the annual conference - more below!
Regards,
Matt
PS. You may have seen the Jersey Evening Post article yesterday about AI. It’s generated a lot of interest, discussions and questions. We will have more on that in the next newsletter and in cyber security awareness month, and perhaps also in events between now and then.
PPS. You may note a change of language from CERT to Jersey Cyber Security Centre. Following discussion with Ministers, we are adjusting our branding to better reflect our role as preventative, not just responsive: we’re here to prepare, protect and defend Jersey from malicious hackers, aggressive nation states, and organised crime. We don’t wait for bad things to happen before leaping into action. So the new name is better, and will be delivered at no cost to taxpayers too.
PPPS. Do listen out for our radio campaign on Channel 103 reminding Islanders of essential steps to stay secure at home and at work, running up to Cyber Security Awareness Month.
Jersey Cyber Security Centre (CERT.JE) New Roles Released
We’re a small team seeking to operate at world class. That’s a challenge. Are you up for delivering it?
Cyber Risk Officer - lead the island on cyber risk
Head of Legal & Governance - be a cyber law guru
Cyber Engagement Officer - help others learn to be cyber secure
All the roles can also be found by searching for ‘cyber’ on the Government jobs portal.
Please note the short application dates - act now!
You can read more about our hiring in Matt’s article on LinkedIn here:
Valid accounts
by Senior Analyst James McLaren
Where would you start with making your information systems more secure? A report from CISA (the US Cybersecurity and Infrastructure Agency) might offer some clues. Read more here.
Channel Islands Cyber Security Conference 2023
You can get your tickets here today for the headline Conference on 19 October:
Save the date: Channel Islands Cyber Security Conference 2023 Tickets, Thu 19 Oct 2023 at 09:00 | Eventbrite
Speaking and sponsorship opportunities are available, please contact the CIISF or ourselves.
Passwords are not enough
We recently had a work experience student, Sam, with us on a trident placement. Within a matter of days he had discovered a website that shared everyone’s compromised passwords in plain text - downloadable for free or for bitcoin. Almost everyone has compromised passwords, but they don’t have to compromise your life or business. Here are our top tips:
CERT.JE advisory - password security
So what is good Password Security?
Our Senior Analyst James McLaren explains.
Every day we hear on the news that there are new breaches of company data – but also every day, thousands of ordinary people suddenly find that they have lost access to Facebook, or Instagram, or email. These stories never make the news – but they can be devastating for the individuals affected. They can cause financial losses, they can wreck relationships, and they almost always cause a lot of extra work. However, there are ways to make it harder for malicious actors – here are five simple things that you can do:
Use good passwords
Make them unique
Change old and compromised passwords
Use a password manager
Apply two-factor authentication wherever you can
Let’s look at each of these in a bit more detail:
A good password is one that is easy for you to remember but hard for a computer to guess. The old idea of eight random characters actually fails both tests – you can’t remember it, but a high-powered processor can test all combinations of eight characters in a couple of days. A much better answer is three or four random words – say fish,love,cupboard. That’s eighteen characters, and checking all combinations of 18 characters would take a computer billions of years. Drop one capital letter and a number in (fisH,love,1cupboard), and it’s pretty much unguessable. Once you have that password, you need only change it if you think it has been compromised.
Passwords need to be unique. Sometimes passwords are stolen from companies that you’d log in to (which is also why you need to change old and compromised passwords). The very first thing a malicious actor will try is to see if the stolen password works on other systems – so the stolen Facebook password will be tried on Gmail, Twitter, etc. The “crown jewels” account is your email account – because most services will let you reset a forgotten password by mailing a link to your email account, and if the malicious actors have control of that, it’s game over.
This is too hard, we hear you say. But there are tools that make it easier called password managers. They will help you create your good passwords; they store your passwords; they will often automatically fill them in for you. Some will also advise you if a password is weak, or if it has appeared in a public data breach. All of these are stored under strong encryption in what is called a vault, and the only person who has the password to the vault is you (so do keep it safe!). The team at CERT.JE have tried 1Password, Dashlane and Bitwarden’s password managers and would be happy to install any of them.
Finally – two factor authentication. You log in with a password (which you know), and you confirm it’s you. The simplest way of doing this is when the site sends a text message to your mobile phone (something you have) with a code to input. For the majority of people, this is enough to make a malicious actor go somewhere else. Most major online sites will let you do this (they may call it multi-factor authentication instead); if you’re having trouble finding how to do it, talk to the team at CERT.JE and they will help.
These are your first steps to keeping your data safe – and making the malicious actors go somewhere else.
Can we protect our children?
An excellent short video showing what can happen when children’s data is shared online. Children are not often asked for consent by well meaning parents and carers - but should we be sharing their photos online? Here’s what the future looks like when we do.
Events & Cyber Security Awareness Month 2023
9th - 17th October - Incident Response Workshops with CERT.JE (more soon)
9th - 17th October - Drop in advice & support sessions with CERT.JE (more soon)
12th October - Guernsey Data Protection & Cyber Security Conference
12th October - Guernsey Event Reflections with Emma Martins (Guernsey) & Iain McDonald (IoM)
13th October - Cyber update at the JSCCA Conference, Jersey
19th October - Channel Islands Cyber Security Conference, Jersey & online
26th October - Pints & Passkeys, Post Horn, Jersey (more soon)
More coming soon!
Jobs
Jersey Cyber Security Centre:
Cyber Risk Officer - lead the island on cyber risk
Head of Legal & Governance - be a cyber law guru
Cyber Engagement Officer - help others learn to be cyber secure
That’s it!
There’s not many roles over the summer as it’s not as popular time to recruit due to holidays and so on - we were a bit constrained due to planning cycles, or we would have been earlier too. Of course, if you want to hire local cyber talent and have roles you’d like us to share please let us know at [email protected].
Learning & Tools of the month
There is a good tutorial on Windows Forensics provided by 13Cubed on YouTube
An invaluable repository of blue team notes to help you investigate a windows system.
Another useful resource to understand DLL Search Order hijacking to enable defenders to spot this type of activity.